A blog which tries to demystify computer security, point out the half-truths and misinformation which floats around about this subject and hopefully reduce the hype created by semi-informed people. It also has some useful tips from time to time.

First time here? I hope that you find something interesting and useful. Check out the most popular pages or the categories I most frequently post in:

Tuesday, April 03, 2007

The month of PHP bugs is over and I thought that I make a little list with things you can do to mitigate the bugs where possible:

Update to PHP 5.2.1 and watch out for the next version and update to it as soon as it comes out. Do not PHP4, because there is a vulnerability which will not be fixed by the developers (because PHP4 is considered old code).

Install Suhosin (unfortunately it is currently only available for Linux)

If you have the Zend platform installed, take on look here to see if you are vulnerable to these exploits

Disable the following functions (there are some very common functions here, so unless you run your own server, you won't be able to generally disable them):

phpinfo()

substr_compare() - if you really need this function, you can find a replacement for it written in PHP on the documentation page (I didn't test it, but it looks like it should work).

mb_parse_str()

iptcembed() - already disabled if you disabled the GD extension

Disable the following extensions (they are rarely used, so in case you are a shared hosting, most probably you can get away with disabling them - of course if you host your own servers you should disable all the extensions which you don't use!):

WDDX

Ovrimos (in PECL, but you may have installed it with an older version of PHP)

The zip extension from PECL

bz2_filter

SQLite - the issues with it are fixed in PHP 5.2.1, however be sure to read the description here before relaxing (because you might use a different version than you think).

the GD extension - this is relatively widely used, so you can get away with disabling it only if you own you own server